ES2358114T3 - PROCEDURE AND SYSTEM TO CONTROL MOBILITY IN A COMMUNICATIONS NETWORK, RELATED NETWORK AND COMPUTER PROGRAM PRODUCT FOR THE SAME. - Google Patents

Abstract

A communication network, such as a Mobile IP network (30), comprises at least one mobile terminal (10) and a plurality of Home Agents (70) adapted to provide, within working sessions, communication services to the above mobile terminal (10). In the network (30) there is an Authentication, Authorisation and Accounting (AAA) platform (90), configured for identifying, within the above plurality, the Home Agent (70) that serves the at least one mobile terminal (10) in a selective and varying way within a single working session.

Description

Field of the Invention

[0001] The present invention relates to techniques for managing traffic in telecommunications networks.

[0002] The invention has been developed with special attention to the possible application in mobile networks based on IP (Internet Protocol), that is, more precisely, in networks where terminal mobility is managed with the mobile IP protocol .

[0003] In any case, the reference to this particular field of application should not be construed in a limiting sense to the scope of the invention.

Description of the prior art

[0004] Mobile IP networks identify a scenario in which a user moves within the network and generates the traffic that is directed within the network to the nodes (the corresponding nodes) with which the user is communicating.

[0005] During its movements, the user may have to change the access network (sub-network) that allows him to use IP services. This operation must be transparent to the user, so that it can be in communication with the corresponding nodes, without interruptions.

[0006] The traditional protocols on which IP networks are based, due to their nature, are not capable of managing moving IP terminals within the network. To fill this gap, the IETF standardization body (“Internet Engineering Task Force”) has defined the Mobile IPv6 protocol, which allows IPv6 mobile terminals to change their connection point to the network transparently with respect to applications.

[0007] The Mobile IPv6 protocol is specified in document rfc3775. This is the first of the different references made in this description of the draft standards or norms of the draft type -... or rfc ...: its related information is available to the public on the date of submission of this application on the IETF website at http://www.ietf.org or, alternatively, in the online database http://www.watersprings.org.

[0008] In case the Mobile Ipv6 protocol is adopted, two IP addresses are assigned to the mobile node. The first address is the Local Address (HoA): this address never changes and is used to uniquely identify the identity of the node (hereinafter also called the mobile or terminal node). The second address is the so-called attention address (CoA): this address identifies the actual position of the mobile telephone terminal in the visited sub-network and then changes to each movement from one sub-network to another.

[0009] Each movement that involves a change in the IP sub-network visited forces the mobile terminal to record its own Service Address for a server, called Local Agent (HA), which can be found in the provider's network (also called “ local network"). Any other IP terminal that attempts to communicate with the mobile node contacts the mobile node itself using the Local Address. Through normal IP routing, the traffic sent arrives at the HA, which redirects it to the real position of the mobile node, identified by the service address. In this way, all traffic destined for the mobile node is distributed by the Local Agent to the address of the current user, that is, the service address. Next, the mobile node must be able to constantly reach whatever its connection point to the network.

[0010] Figure 1 shows a generic scenario of using the Mobile IPv6 protocol within the IP network that hosts a mobile node.

[0011] In particular, in figure 1 a mobile node 10 has at its disposal a series of access points 20 that allow it to establish a connection with the network 30 of its provider and, more in detail, allows a session to open communication, designated with 40, through a particular server 50 called Local Agent. The communication session 40 implies, in the example shown, to receive the data traffic from a corresponding node, designated with 15. The movement of the mobile node 10 within the IP network is signaled by arrow 60. Local Agent 50 guarantees that the traffic generated by the corresponding node 15 arrives at the mobile node 10 whatever the current connection point of the mobile node.

[0012] The placement and loading level of Local Agent 50 greatly affect the performance experienced by the mobile terminal, since they affect the delay with which the mobile node receives data traffic and the duration of the temporary loss of connectivity (transfer latency) that occurs after each movement from one access point to another.

[0013] It is known [ref. draft-giaretta-MIP6-authorization-eap-00] that it is possible to dynamically assign to the mobile terminal, for example when it is turned on, a local Agent that is capable of providing optimal performance, that is, a local Agent that has its Provision sufficient processing resources and can be found as close as possible, in terms of number of IP sectors, to the connection point of the mobile terminal.

[0014] However, in time, the local Agent initially assigned according to these criteria, may no longer be able to provide a service with adequate quality. For example, this could occur in the following situations:

-after continuous movements of the mobile terminal, it is possible that the local Agent terminates quite far from the current connection point of the mobile terminal itself, which causes a large increase in transfer latency and the delay in transferring traffic to its destination;

-when the amount of traffic generated by the mobile terminals that can be found in the network changes, it is possible that the local Agent is subjected to a state of congestion, with the consequent inability to manage all the mobile terminals connected to it.

[0015] To solve this problem, an agreement called Protocol between local agents (HA-HA) [ref. draf-wakikawa-mip6-nemo-haha-01], which allows the mobile node to change the local Agent that is used at all times, each time having the device that is able to guarantee the best performance.

[0016] The architecture on which the solution of the Protocol between local agents is based, shown in Figure 2, establishes that the mobile node 10 is served, instead of by a single Local Agent 50 (as in the case where is shown in Figure 1), by a group of Local Agents 70 arranged in the operator's network 30. All local agents 70 belonging to the same group periodically exchange signaling messages to synchronize information about the position (i.e., the address local and the address of attention) of the mobile nodes that can be found within the network.

[0017] Due to this synchronization procedure, local agents belonging to the same group are seen by the mobile node 10 as a single "virtual" local Agent 80, which means that the mobile node 10 can be moved from a local agent to another without modifying its own local address, that is, with minimal impact on current communications.

[0018] This approach, however, has limitations that can make its application difficult, especially in the case of large networks (for example, large suppliers and operators with a significant number of local agents):

-each local agent must be configured manually [ref. draft-wakikawa-mip6-nemo-haha-01, page 17] with the addresses of all other local agents belonging to the same group. This makes service and supply management complicated, especially when the number of local agents that can be found on the network is large;

-to allow the mobile node to maintain the same Local Address regardless of the Local Agent that is being used at any time, local agents belonging to the same group must exchange, in a point-to-point mode, a high number of signaling messages, which are necessary to synchronize the tables of union between the local Directorate and the Attention Directorate This limits the scalability of the provision, increasing the loss of resources, such as, for example, bandwidth resources on network connections and the computing load on local agents.

[0019] Here below, to complete, the background documentation, cited as a reference, is included. They are mostly IETF standards and / or working documents.

- Mobility support for IPv6 (rfc3775); - IP Mobility Support for IPv4 (rfc3344); -Auto-address configuration without IPv6 status (rfc2462); - Diameter base protocol (rfc3588); - Internet key exchange (rfc2409); -Internet key exchange protocol (IKEv2) (draft-ietf-ipsec-ikev2-15) -Extensible Authentication Protocol (rfc3748); -EAP key management framework (draft-ietf-EAP-keying-03);

-Authorization and configuration of MIPv6 based on EAP (draft-giaretta-MIP6-authorization-eap-00); -Authentication protocol for Mobile IPv6 (draft-ietf-MIP6-auth-protocol-00)

Object and description of the invention

[0020] From the previous description of the current situation, it seems that there is a need to define a technique that allows modifying in real time, and with minimal impact on current communications, the local agent that is used through a mobile terminal .

[0021] The object of the present invention is to satisfy the above need and, in particular, the invention deals with the problem of providing a solution that does not have the critical points of the Protocol between local agents, and that can be used to allow the Mobile terminal is always served by a local Agent that is capable of providing optimal performance, without causing any interruption of user services.

[0022] In accordance with the present invention, this object is obtained by a method having the characteristics included in the following claims. The present invention also relates to a corresponding system, a network comprising said system, in addition to a computer program product that can be loaded into the memory of at least one computer and comprising portions of software code to activate the above procedure. . As used herein, the reference to said computer program product is understood as equivalent to the reference to readable media by a processor that contains instructions for controlling a computer system to coordinate the execution of the method according to the invention. The reference to "at least one computer" is intended to indicate the possibility that the present invention is implemented in a distributed and / or modular manner.

[0023] An embodiment of the presently preferred invention is applied to the provision of communications services to at least one mobile terminal in a communications network comprising a plurality of local agents, in which the at least one mobile terminal is served by means of a Local agent identified in the previous plurality. The services are provided to the mobile terminal in work sessions in a situation in which:

- an authentication, authorization and accounting (AAA) platform is provided in the communications network, and

-the local agent serving the mobile terminal is identified within the previous plurality through the AAA platform in a selective and changing way in a single work session.

[0024] The above preferred embodiment involves, among others, the following advantages:

-optimization of performance: the assignment of a local Agent closer to the mobile node allows the optimization of the performance experienced by the user, reducing the transfer latency and the transfer of traffic delay directed through the local Agent;

-balance of the load: the possibility of modifying the local Agent that is used by a certain user allows to intervene in real time in the division of the load between the local Agents that are present in the network, to adapt it to the type and quantity of user generated traffic. For example, to avoid the occurrence of a congestion state, it is possible to dynamically decrease the load level of a particular Local Agent by having one or more mobile nodes served by another Local Agent;

- Optimal use of the resources of the operator's network: the allocation of a local Agent closer to the mobile node allows to reduce the amount of traffic through the operator's network (for example, the central column). In particular, this guarantees an optimal use of network resources, preventing traffic related to mobile nodes from going uselessly through the geographical connections that make up the central column of the operator.

Brief description of the drawings

[0025] The invention will now be described, as a non-limiting example, with reference to the accompanying figures of drawings, in which:

- Figures 1 and 2 have already been previously described;

-Figure 3 shows a possible network architecture of the arrangement described here;

-Figure 4 shows in more detail the network architecture of the arrangement described here;

-Figure 5 shows a functional flow chart representing a reallocation procedure of the

Local agent initiated by a mobile node and ending successfully;

-Figure 6 shows a functional flow diagram representing a reassignment procedure of the local Agent requested by the mobile node, but rejected, since it was not authorized;

- Figure 7 shows a functional flow chart representing a reassignment procedure of the Local Agent initiated by the Local Agent currently used by the mobile node and successfully terminated;

- Figure 8 shows a functional flow chart representing a reassignment procedure of the local Agent initiated by the AAA server and successfully completed;

-Figure 9 shows a functional flow diagram representing a reassignment procedure of the local Agent initiated by the AAA server, but with failure, since it was related to a mobile node that does not support the procedure;

-Figure 10 shows the closing of the procedure through accounting messages;

-Figure 11 shows a possible division into zones of a network operator;

-Figure 12 shows a metric example among the zones into which a network operator can be divided;

-Figure 13 shows a possible new format of the union update message that can be used in the context of the arrangement described herein;

-Figure 14 shows the generic format of a mobility option that can be used in the context of the arrangement described here;

-Figure 15 shows a possible format of a reallocation data mobility option of the local agent that can be used in the context of the arrangement described herein; Y

-Figure 16 shows a possible format of a mobility option for reassignment tracks of the local agent that can be used in the context of the arrangement described herein.

Detailed description of the embodiments of the invention

[0026] Figure 3 shows with direct reference to the diagrams already shown in Figures 1 and 2, an example of a network architecture on which the arrangement described herein is based.

[0027] The architecture in Figure 3 provides for the use of the authentication, authorization and accounting platform (AAA) 90 of the provider with which the user has subscribed the service. This to make said platform, already normally present in the network provider 30, authorize, conduct and supervise the entire migration process towards a new Local Agent (designated local Agent), by sending configuration commands and information to the Agents local 70, present in the network, and to the mobile node 10. The communication between the Authentication, Authorization and Accounting platform (AAA) 90 and the mobile node 10 is carried out with the support of the local Agent that currently serves the mobile node (ie ie, the local Service Agent) through appropriate extensions in the AAA protocol, designated with 100 in Figure 3, and in Mobile IPv6 signaling messages, designated with 102 in Figure 3.

[0028] Each of the local agents 70 present in the network thus operates independently of the others and manages its own addressing space. Consequently, mobile node 10 modifies its own Local Address at each change of Local Agent. The survival of the application sessions is guaranteed by providing a transitional period during which the mobile node 10 can simultaneously use the old and new local addresses, so that the applications started before the reallocation procedure can be terminated without interruptions.

[0029] Operating in this way, although increasing the complexity of the mobile node 10, which must be able to communicate simultaneously with the old (service) and new (designated) local Agent, it is not necessary to provide for any information exchange for the coordination of local agents that are present in the network. This results in an increase in system scalability and a reduction in superior signaling.

[0030] The Mobile IPv6 protocol (MIPv6) is the proposed solution within the IETF (“Internet Engineering Task Force”), to manage the wide-range mobility of a terminal between IPv6 networks [ref. Rfc3775].

[0031] The relevant protocol allows a mobile node 10 to both access the network from different positions, preserving a unique identity, and dynamically change the junction point while maintaining the existing active connections.

[0032] As already indicated, the protocol manages the mobility of the mobile node by entering:

- two different IPv6 addresses for each mobile node, that is, a local address and a service address, and

-an agent, called Local Agent (HA).

[0033] From the two different addresses:

i) the first, namely the Local Address (HoA), is an address assigned by the provider with which the user has subscribed to the service; this address never changes (at least for the duration of the entire work session) and is used to uniquely identify the identity of the mobile node;

ii) the second, namely the attention address (CoA), is an address belonging to the visited network, obtained dynamically by the mobile node through automatic IPv6 configuration [ref. rfc2462]. This address locates the current position of the mobile node and, for this reason, changes with each movement of the mobile node itself.

[0034] The local agent resides in the network of the provider with which the user has subscribed the service (the so-called "local network") and its task is to redirect the traffic destined to the mobile node 10 (that is, the traffic directed to the Local address) to the current position of the mobile node itself (that is, the attention address or CoA).

[0035] Although IPv6 Mobile also introduces a communication mode, called route optimization, which provides for direct communication between mobile node 10 and corresponding node 15, without traffic passing through Local Agent 50, the agent's position Local 50 is particularly important for the proper functioning of the protocol and the performance experienced by the mobile node.

[0036] In fact, the Round Trip Time (RTT) between the mobile node 10 and the Local Agent 50 and, therefore, its distance, greatly affect the transfer latency, that is, the time interval during which, following a transfer, the mobile node is not able to receive and send packets.

[0037] Furthermore, if the communication between the mobile node 10 and the corresponding node 15 occurs in the bidirectional tunnel mode (for example, if the corresponding node 15 does not support the extensions provided by Mobile Ipv6), all data traffic it must pass through the local Agent 50 and, therefore, the position of the latter that depends on the position of the mobile node 10 greatly affects the transfer delay to which the data traffic is subjected.

[0038] The arrangement described here allows the mobile terminal to be assigned, at the time of its ignition, a local Agent that is capable of providing optimum performance, that is, a local agent that is as close as possible, in terms of the number of IP hops, to the connection point of the mobile terminal. This can be obtained through the use of some of the provisions available in the literature to dynamically configure the Mobile IPv6 terminals when entering the network, such as for example the provision described in [ref. draft-giaretta-mip6-authorization-eap00].

[0039] When, due to its continuous movements, the mobile node moves far away from its own Local Agent (Local Service Agent) and experiences a deterioration in the performance of the Mobile Ipv6 protocol, the arrangement described here allows the mobile node to be assigned from a new Local Agent (Designated Local Agent) that is able to provide better performance than the previous (Local Service Agent).

[0040] All without causing any interruption of the applications in progress and within a procedure performed under the control of the provider with which the user has subscribed to the service (local provider), which must authorize the change of Local Agent.

[0041] Figure 4 shows the general scenario and the elements of the architecture on which the proposed arrangement depends.

[0042] In particular, the following are indicated:

- an authentication, authorization and accounting server 110 of the local provider of the mobile node (that is, the AAA server of the provider with which the user has subscribed the service). On server 110, which substantially corresponds to the platform indicated with 90 in Figure 3, there is a module whose function is to authorize, control and monitor the reassignment procedure of the local Agent, send configuration commands and information to the mobile node 10 and Local agents 70 that are present in the network;

-a local Service Agent 120, that is, the Local Agent serving the mobile node 10. In the Local Agent 120 there is a module that interacts with the authentication, authorization and accounting server 110 and acts as an intermediary in communications with the mobile node 10;

-a designated Local Agent 130, that is, the Local Agent designated to serve the mobile node 10. In the Local Agent 130 there is a module that is able to receive from the authentication, authorization and accounting module 110, the configuration information for the use of the IPv6 Mobile service by authorized users (for example, local address, cryptographic material, granted privileges);

- a mobile node 10, namely the mobile node in which a module that interacts with the authentication, authorization and accounting server 110 resides through the local Service Agent 120 and ensures the survival of sessions of the application during the procedure Reassignment of the Local Agent.

[0043] The mechanism by which migration is managed from Local Service Agent 120 to Designated Local Agent 130 is based on the following technical approach.

[0044] Mobile node 10 declares to support the change of Local Agent without impact on current communications (ie, in a "seamless" manner) in the link update messages it sends to its own local agent, using one of reserved bits provided in [ref. rfc3775, page 39-41]: Local Agent 120 and server 110 are able to recognize which mobile nodes are capable of completing the procedure.

[0045] The procedure can be initiated from the mobile node 10, or from the local Service Agent 120, or even from the AAA server 110 of the local provider.

[0046] In the first two cases, the procedure is authorized in any case by the AAA server of the local provider 110.

[0047] In particular:

i) the mobile node may request the start of a reassignment of the Local Agent if it detects the existence of a Local Agent that could guarantee better performance (for example, the discovery of a Local Agent on its own link through the receipt of a router announcement message with bit H = 1 [ref. 3775, page 61-62]);

ii) Local Service Agent 120 can activate the procedure in case of overload;

iii) the authentication, authorization and accounting server 110 may result in the reallocation procedure of the Local Agent in order to provide the mobile node 10 with a Local Agent 130 that allows for better performance, usually characterized by a shorter distance in terms IP hops from the mobile node 10: to do so, the authentication, authorization and accounting server 110 keeps a record of all local Agents present in the network, of which the mobile nodes of each of them serve and of the position of the mobile nodes themselves.

[0048] The communication of the new configuration parameters in the mobile node 10 (namely, the address of the designated Local Agent, the new local address and the security-related associations) is obtained by defining new mobility options [ ref. rfc3775, page 46-47] within the link update (BU) and Binding Recognition (BA) messages: this approach has the advantage of releasing at the start of the Local Agent reassignment procedure of additional authentication events. Communication with the mobile node 10 can occur completely asynchronously (that is, it can be initiated at any time).

[0049] The survival of sessions of the application is guaranteed by the introduction of a mechanism for the management of the addresses that is similar to that foreseen for the procedure of “self-configuration without state” of IPv6 networks [ref. rfc2462]: each Local Address is associated with a status that indicates whether the address can be used for the start of new communications, or if it can only be used to end existing communications.

[0050] Regardless of which node activates the procedure, a mechanism is provided by which the mobile node 10 communicates to the network 30 if it supports the reassignment procedure of the Local Agent and, in particular, the change of Local Agent, without impact on Current communications In fact, the procedure of the proposed provision provides that, during a given period, mobile node 10 simultaneously uses two Local Addresses and then two Local Agents (120 and 130); This, in particular, implies that mobile node 10 starts and maintains two IPsec security associations with two different nodes.

[0051] It may happen, therefore, that not all mobile nodes are configured to support this new functionality. In addition, a terminal (for example, PDA), may be unable to support the procedure, since it has a limited processing capacity or a reduced memory space.

[0052] For this reason, each mobile node that supports the reassignment procedure of the local Agent communicates this capacity to the network, for example by setting 1 bit in the link update messages (R bit designated with 600 in the Figure 13) sending it to your own local Agent; in this way, the Local Service Agent 120 always knows which mobile nodes are capable of changing the Local Agent, without impact on current communications. This information, if necessary, is sent by the Local Service Agent 120 to the authentication, authorization and accounting server 110.

[0053] As noted above, the reassignment procedure of the local Agent can be initiated by the mobile node.

[0054] The mobile node may request the start of the procedure when it receives a router announcement message (AR) with the H bit set to 1; This means, in fact, that in the link where it is, there is a local Agent.

[0055] The authentication, authorization and accounting server may decide to authorize, or not authorize, the request from the mobile node 10, depending on the current state of the network and the profile of the service user.

[0056] In the event that the request is authorized, the entire procedure is described in Figure 5:

- in a step 200 the mobile node 10 receives a router announcement with the H bit set to 1 and decides to start a reassignment procedure of the local Agent;

- in a step 202 the mobile node 10 sends a link update message (BU) to its own local service agent 120, in which a mobility option is added, called the reassignment track mobility option HA. This option is a request to reallocate the local Agent and contains:

a) the address of the local Agent that sent the router announcement;

b) the address that the mobile node 10 configured in the visited link and that could be the new local address;

-in a step 204 the Local Agent processes the link update message as indicated in [ref. rfc3775, page 88-92]; if an HA reallocation track mobility option is present, the Local Agent sends to the authentication, authorization and accounting server 110 a diameter message of the local agent reallocation request with the following AVP attributes (Value pair of attributes):

a) AVP user name that contains the network access identifier of the user requesting the activation of the procedure. The network access identifier is the identifier used by the user during authentication; In general, it is of the user @ domain type. The Local Service Agent 120 knows the network access identifier of the mobile node that requires the initiation of the reassignment procedure of the Local Agent, since it is shared with it by an IPsec security association [ref. draft-giaretta-mip6-authorization-eap-00, page 19];

b) Local AVP service address containing the local address currently assigned to the mobile node;

c) AVP Designated Local Agent Address, and AVP Designated Local Address, respectively, containing the address of the designated Local Agent and the new Local Address (HoA) proposed by the mobile node in the HA reallocation track mobility option;

- in a step 206, the authentication, authorization and accounting server 110 checks whether the mobile node 10 is authorized to carry out the reallocation procedure of the local Agent; if the answer is affirmative, a designated local agent 130 is selected, possibly the one indicated by the mobile node 10 (the indications provided by the mobile node in the reallocation track mobility option HA are interpreted as a simple suggestion, which means that the authentication, authorization and accounting server 110 could assign to the mobile node 10 a designated Local Agent and a designated Local Address different from those required), and is dynamically configured in a step 208 (for example, using the procedure described in [ref. draft-giaretta-mip6-authorization-eap-00]). At the end of that communication, the designated Local Agent 130 is assigned the resources necessary to manage the mobile node 10;

-when the communication between the server 110 and the designated Local Agent 130 ends, in a step 210, the server 110 sends a Reassignment Response Diameter message from the Local Agent to the Local Service Agent 120 in which it inserts the following AVP attributes :

a) AVP user name containing the network access identifier of the mobile node 10;

b) AVP designated local agent address containing the address of the designated local agent 130 assigned to mobile node 10;

c) AVP designated local address containing the new local address of mobile node 10;

d) Lifetime AVP authorization that contains the lifetime, possibly equal to infinity, of the previous Local Address (Local Service Address). This value shows the remaining time during which mobile node 10 can continue to use the Local Service Agent, together with the designated Local Agent, to ensure the survival of sessions of applications that were already active before starting the agent redistribution procedure local. In other words, this lifetime shows how long the reassignment procedure of the local Agent must be completely completed;

-The Local Service Agent 120 receives this information and in a step 212 communicates it to the mobile node 10, including the reallocation data mobility option HA in the union recognition message (BA). This option shows whether the procedure has been successful through the Code field and contains the useful life of the previous Local Address, the address of the designated Local Agent and the new Local Address;

-the mobile node 10 receives this information and in a step 214 negotiates an IPsec security association with the designated Local Agent 130. Subsequently, the mobile node 10 can register itself with the designated Local Agent 130 through the acknowledgment messages binding and update link, respectively designated by references 216 and 218 in Figure 5. In this transitional period, the mobile node 10 communicates simultaneously using the local service address and the designated local address.

[0057] Communications between the authentication, authorization and accounting server and the designated Local Agent can be made according to what is defined in [ref. draft-giaretta-mip6-authorization-eap-00, page 9-12].

[0058] As indicated in [ref. rfc3775, pages 18-19], mobile node 10 and designated Local Agent 130 must share an IPsec 214 security association to protect mobile IPv6 signaling traffic.

[0059] As a preference, unlike what has been described in [ref. draft-giaretta-mip6-authorization-eap-00], the authentication, authorization and accounting server 110 does not send to the mobile node 10 a previously shared key (PSK) for the start of said IPsec security association through the IKE (Exchange of Internet keys) [ref. Rfc2409].

[0060] The "secret" shared to establish the Security Association may, in fact, be derived from the authentication procedure and, in particular, from the cryptographic material exported by the EAP (Extensible Authentication Protocol) procedure used. This assuming that the mobile node uses the EAP protocol [ref. rfc3748] to access the network and that the authentication, authorization and accounting server can securely communicate the PSK to the designated local Agent: an example of how this communication can be done is described in [ref. draft-giaretta-mip6-authorization-eap-00, page 11-12].

[0061] In the event that the request for reallocation of the local Agent from mobile node 10 is not authorized, the entire procedure is described in Figure 6:

-in a step 220 of the mobile node 10 receives a router announcement with the H bit set to 1 and decides to start a reassignment procedure of the local Agent;

- in a step 222 the mobile node 10 sends a link update message (BU) to its own Local Service Agent 120, in which a new mobility option is added, called the reassignment track mobility option HA;

- in a step 224 the Local Agent 120 processes the link update message as indicated in [ref. rfc3775, page 88-92];

- in a step 226 the authentication, authorization and accounting server 110 decides not to authorize the request;

- in a step 228 the authentication, authorization and accounting server 110 responds to the diameter message of the Request for reassignment of the local agent from the local service agent 120 by sending a reassignment response message of the local Agent with a Code Result AVP DIAMETER_AUTHORISATION_REJECTED (diameter authorization rejected) [ref. Rfc3588];

- in step 230, in turn, the local service agent 120 communicates with the mobile node 10, the failure of the procedure through a reallocation data mobility option HA containing the FAIL value in the Code field.

[0062] The reassignment procedure of the local agent can also be requested and started by the local Service Agent; in particular, the local service agent can request the start of the procedure for a mobile node in case it begins to overload and therefore has difficulties in managing all mobile nodes registered with it.

[0063] Figure 7 shows the flow of the procedure in case the request that comes from the local Service Agent has been regularly authorized by the authentication, authorization and accounting server. The stages that make up the procedure are as follows:

-the local Service Agent 120 in a step 240 experiences a trigger that initiates the procedure: as stated, the most significant case is that it has an overload of the local Agent;

-the local Service Agent 120 activates, in a step 242, the reassignment procedure of the Local Agent by sending to the authentication, authorization and accounting server 110 a reassignment request diameter message from the local agent, which contains the identifier of access to the network of the mobile node that would interrupt the service and the corresponding Local Address. The mobile node is selected from among those that support the reassignment procedure of the local agent, that is, between those who have sent a link update with the R bit equal to 1;

- the authentication, authorization and accounting server 110 controls, in a step 244, that the local service agent is authorized to initiate the reallocation procedure of the local agent for the selected mobile node. If the answer is yes, the server 110 chooses, through a suitable algorithm, a local agent designated 130 for that mobile node;

- in a step 246 the server 110 negotiates with the designated local agent 130 the Mobile IPv6 service and the corresponding resources to be allocated. This can be done using, for example, the procedure described in [draft-giaretta-mip6-authorization-eap-00];

- in a step 248, after completing the resource allocation procedure at the designated local agent 130, the server 110 sends to the local Service Agent 120 a reassignment response message from the local agent into which the following AVP attributes are inserted :

a) AVP user name containing the network access identifier of the mobile node 10;

b) Address of the designated local agent AVP with the address of the designated local agent;

c) AVP designated local address with the new local address;

d) Lifetime authorization AVP containing the useful life of the previous local address;

- as soon as the local service agent 120 receives, in a step 250, a link update message from the user (in order to expedite the procedure, the local service agent may send a link update request, BRR, a message requesting that mobile node 10 immediately send a new link update), responds, in a step 252, with a link acceptance message containing the HA reallocation data mobility option. This option contains the life of the previous local address, the designated local address and the new local address (that is, the configuration data provided by the server 110 in the previous diameter message of the reallocation response HA). Also in this case, the PSK to start the IPsec security association between the mobile node and the local agent is derived from the EAP;

- at that time, in a step 254, the mobile node 10 initiates an IPsec security association with the designated local agent and performs the Mobile IPv6 registration with the same (i.e., the link update and acceptance messages transmission of the link, respectively, designated by references 256 and 258 in Figure 7).

[0064] Also in this case, the authentication, authorization and accounting server 110 may decide not to authorize the reassignment procedure of the local agent requested by the local service agent; This is done by sending a reassignment response diameter message from the local agent to the local service agent with the result code AVP equal to DIAMETER_AUTHORIZATION_REJECTED (diameter authorization rejected).

[0065] Figure 8 shows the reassignment procedure of the local agent in case it is initiated by the authentication, authorization and accounting server 110.

[0066] At least depending on the experiences so far made by the applicant, this case is probably the most significant among those described.

[0067] Authentication, authorization and accounting server 110 detects, normally during a re-authentication procedure, that the mobile node is far away in terms of IP hops from the local service agent and, therefore, will benefit from the allocation of A new local agent. Information about the position of the mobile node can easily be obtained from the IP address of the network access server from which the user performed the re-authentication procedure.

[0068] The procedure comprises the following steps:

- in a step 260 the server 110 selects a suitable designated local agent, 130, and allocates the resources, following, for example, the procedure described in [ref. draft-giaretta-mip6-authorization-eap-00];

-Once the server 110 in a step 262 has configured the designated local agent 130, a request diameter message of activation of the reassignment of the local agent to the local service agent 120 is sent in a step 264 by inserting the following AVP attributes :

a) AVP user name that contains the user's network access identifier;

b) Local AVP service address containing the local address currently assigned to the mobile node;

c) Address of the designated local agent AVP containing the address of the designated local agent;

d) AVP designated local address containing the new local address assigned to mobile node 10;

e) Lifetime authorization AVP containing the life time, possibly equal to infinity, of the previous local address (Local service address);

- in a step 266 the local service agent 120 immediately sends a new link request message (BRR) to the mobile node 10 to request the transmission of a link update. The transmission of the BRR makes it possible to avoid communication timeout problems between the local service agent 120 and the server 110, since, otherwise, it is not possible to provide deterministically when the next link update will be received from the mobile node 10;

-after having received, in a step 268, the update of the mobile node link 10 which must be carried out by the reallocation procedure of the local agent, in the next link recognition, step 270, the local service agent 120 inserts a option for reassignment data mobility of the local agent that contains the useful life of the previous local address, the address of the designated local agent and the new local address;

- in a step 272 the local service agent 120 responds to the server 110 with a response message activating the reassignment of the local agent, in which it indicates that the mobile node 10 has received the information to complete the procedure;

- Then, the mobile node 10 can negotiate the IPsec security association with the designated local agent 130, step 274, and carry out the Mobile IPv6 registration with it, steps 276 and 278.

[0069] As noted above, the mobile node communicates with the local service agent, via link update messages, if it supports the reassignment procedure of the local agent and the mobility options defined herein. This information reaches the local service agent and not the authentication, authorization and accounting server; for this reason, the authentication, authorization and accounting server can initiate a reallocation procedure of the local agent for a mobile node that in practice does not support that functionality.

[0070] In this case, in a step 280 in Figure 9, the local service agent 120 realizes that the mobile node 10 does not support the requested functionality. In a step 282 the local service agent 120 communicates with the server 110 that the procedure cannot be carried out by means of a response message activating the reassignment of the local agent with the result code AVP equal to DIAMETER_UNABLE_TO_COMPLY (diameter unable to comply).

[0071] Based on the previously defined procedure, after the exchange with the local service agent of the link update and link acceptance messages containing the new mobility option and the subsequent registration with the designated local agent, the node Mobile has two local addresses associated with one or more of the local agents.

[0072] The way in which the mobile node manages the simultaneous presence of these two registers and the criteria based on which the registration of the local service agent is completely eliminated are described below.

[0073] In this context, it is desirable that the reassignment procedure of the local agent has no influence on ongoing communications.

[0074] For example, if the mobile node, as soon as the registration with the designated local agent finishes, carried out the deletion of the registration with the local service agent, possible ongoing sessions will not remain active, since they are identified by the local address related to the local service agent (that is, the local service address).

[0075] The approach proposed in the arrangement described here is similar to that used in IPv6 networks for stateless host configuration [ref. 2462].

[0076] The arrangement described here inserts a state machine that regulates the use of a local address and, in particular, indicates whether the local address can only be used for already active communications or also to initiate new communications.

[0077] The states that can be assumed by a local address are:

-a first state, here called preferred local address: it is an address for which there is no restriction of use of higher levels. This implies that this address can be used to initiate new communications; in the procedure described here, a local address is in the preferred state since when the mobile node is assigned until the agent reallocation procedure is completed with the assignment of a new local address (designated local address);

-a second state, here called obsolete local address: it is an address whose use is allowed only for already activated communications; therefore, it cannot be used to initiate new communications. The local address goes from a preferred state to an obsolete state when the reassignment procedure of the local agent is completed and the mobile node itself has registered with the designated local agent; Y

-a third state, here called invalid local address: an address in this state cannot be used by the mobile node for new communications, or for existing communications. The local address goes from an obsolete state to an invalid state when the mobile node has terminated all previously activated communications with that address; to avoid that a local address remains in the obsolete state for too long (for example, in the case of communications with a very long duration), an address may also go into the invalid state after a waiting period has elapsed (i.e. life indicated by the authentication, authorization and accounting server in the AVP lifetime authorization). It should be noted that, at the expiration of said waiting time, which must be characterized by a fairly high value anyway, the possible communications linked to said address are stopped.

[0078] To ensure the correct operation of the procedure, it is important that the authentication, authorization and accounting server 110 get to know when the procedure itself has been completed; in particular, it is necessary to provide that the authentication, authorization and accounting server 110 be informed about when the mobile node registers with the designated local agent and when its registration with the local service agent is deleted. This information will be made available to the authentication, authorization and accounting server 110 for two reasons:

-they are used as confirmation of the correct operation of the procedure, such that the authentication, authorization and accounting server 110 always knows the local agent serving a particular mobile node;

-they can be used by the authentication, authorization and accounting server 110 to decide whether to authorize a new reassignment procedure of the local agent; for example, the authentication, authorization and accounting server 110 may decide not to authorize a mobile node or the request of the local agent in case the mobile node itself has not yet completed a reallocation of the local agent.

[0079] The proposed provision provides that this information be provided to the authentication, authorization and accounting server 110 using the diameter accounting messages; The procedure consists of the steps used in Figure 10:

- in a step 300 the mobile node 10 sends a link update message to the designated local agent 130; - in a step 302 the designated local agent 130 responds to the mobile node 10 with an acceptance of the link;

- after the mobile node 10 has registered with the designated local agent 130, in a step 304 the designated local agent 130 itself sends an accounting start message to the server to confirm the registration made; From this message, the server 110 understands that the mobile node 10 has started the real local agent reassignment procedure and that the mobile node is registered with two different local agents (i.e. the local service agent and the local agent designated);

-in the period indicated with 306, it happens that the mobile node 10 at the same time uses the local service agent 120 and the designated local agent 130;

- in a step 308, the mobile node 10 sends to the local service agent 120 a link update message with a lifetime equal to zero, in order to explicitly delete its own record, and in a step 310 it receives the message of acknowledgment of acceptance of the corresponding link. Alternatively, the mobile node 10 may leave its own register with the local service agent 120 that passes spontaneously, allowing its validity to be periodically confirmed by sending link update messages with the local service agent 120;

- after having eliminated the status related to the mobile node 10, in a step 312, the local service agent 120 sends an accounting stop diameter message to an authentication, authorization and accounting server 110, as occurs for Any network access server. The server 110 understands from this message that the mobile node is no longer registered in the local service agent 120 and that, therefore, the reassignment procedure of the local agent is completely terminated.

[0080] As indicated in [ref. rfc3775, pages 18-19], it is necessary for the mobile node and the local agent to establish an IPsec security association, for example through the use of Internet key exchange [ref. rfc2409], before exchanging any link update or link acceptance message.

[0081] Unlike what is described in [ref. draft-giaretta-mip6-authorization-eap-00], the provision proposed here establishes that the previous shared key needed to start the Internet key exchange is not explicitly sent to the mobile node, but is derived from it mobile node based on the key hierarchy of the EAP.

[0082] The procedure for deriving and using those keys is described here below.

[0083] At the end of the EAP communication, the mobile node 10 and the authentication, authorization and accounting server 110 share two keys derived from the specific authentication procedure used: it is the master session key (MSK) and extended master session key (EMSK) [ref. draft-ietf-eap-keying-03, page 13-17]. This last key in turn can be used to obtain other keys, defined as the application master session (AMSK), which are directly used by the applications [ref. draft-ietf-eap-keying-03, page 1317]; in particular, it is possible to deduce an application master session key specific to IPv6 Mobile that can be used as a PSK in phase 1 of IKE.

[0084] This key is derived from the EMSK by both the mobile node 10 and the authentication, authorization and accounting server 110; The latter must subsequently notify the local agent. This communication can be done through the diameter protocol, for example, with the approach defined in [ref. draft-giaretta-mip6authorization-eap-00].

[0085] A possible function to derive from AMSK an AMSK for Mobile IPv6 is the following:

-KDF (K, L, D, O) = T1 | T2 | T3 | T4 | ...

-T1 = prf (K, S | 0x01)

-T2 = prf (K, T1 | S | 0x02)

-T3 = prf (K, T2 | S | 0x03) where

-prf = HMAC -SHA1

-K = EMSK

-L = key tag = "IPMv6 key"

-D = application data = Local agent address

-O = output length (2 bytes)

-S = L | “\ 0” | D | OR

[0086] Here is described a procedure that can be used by the authentication, authorization and accounting server 110 to choose the designated local agent 130 to be assigned to the mobile node during the reallocation procedure of the local agent.

[0087] The approach is based on the division of the operator's access network into different zones, each characterized by the presence of one or more local agents, as shown in Figure 11.

[0088] The mobile node 10 that can be found in zone 400 is normally managed by the local agent 410 corresponding to this zone; After a movement involving a change of zone, 420 or 440, the network must decide whether the affected areas are far enough to justify the start of a reassignment procedure of the local agent.

[0089] In addition to the areas in which the access network is divided, it may be useful to define one or more roaming areas 460 comprising local agents 470 dedicated to the management of users who are roaming in the networks of other providers 480. Figure 11 shows these local agents 470 placed within the backbone network 490 next to the points of interconnection with other networks.

[0090] To manage the reallocation procedures of the local agent through this approach, the server 110, possibly referring to a centralized database 500 (for example, an LDAP database), preferably maintains the following data structures:

- Zone table: in this table, the authentication, authorization and accounting server 110 maintains the list of zones into which the access network has been divided and the possible roaming zones;

- Network access server table: in this table, the authentication, authorization and accounting server 110 maintains the identifier of each network access server 510 that is present in the network (for example, router, access point ) and a list of information linked to it, among which, in particular, the IP address and the area to which it belongs;

-Table of the local agent: for each local agent an identifier (for example IP address, network access identifier) is maintained, together with other information both on the characteristics of the node (type, maximum capacity, etc.) and on the load level of the current node (that is, the number of users served, which can be updated based on the accounting information). In addition, in this table the authentication, authorization and accounting server 110 maintains the information about the area served by each local agent.

[0091] From the information contained in these data structures, the authentication, authorization and accounting server 110 is able to know in time in which area a particular mobile node can be found, the area to which its local agent of service belongs and the situation of the global network. However, this information may not be sufficient to decide when it is convenient, or even necessary, to perform the reassignment procedure of the local agent; To this end, a metric is determined that allows to provide an indication of the distance between zones and depending on these parameters decide whether to start the procedure.

[0092] An example of static metrics for the network of Figure 11 and its use for the purpose of making a final decision on the execution of the procedure shown in Figure 12. The rows of the table represent possible zones (400, 420, 440, 460) belonging to the main local agent, while the columns similarly represent the areas where the mobile node can be found during its movements. Each box contains a value that represents the distance that separates the zone of associated rows from the zone of the associated column. When referring to this table, the authentication, authorization and accounting server 110 can at any time obtain the metric associated with the distance from the area related to the local service agent to the area in which the mobile node can be found. Depending on the value of these parameters, server 110 may decide whether or not to start the reassignment procedure of the local agent. As an example, it is possible to assume a metric at three levels (1, 2 and 3) that has the following meaning:

-1 = the reassignment procedure of the local agent is not necessary (that is, the zone belonging to the local service agent coincides with the zone in which the mobile node can be found, or at least the two zones are very close in terms number of IP hops);

-2 = the reassignment procedure of the local agent is optional (that is, the zone belonging to the local service agent does not match the zone where the mobile node can be found, but the two zones are not separated anyway enough to make it strictly necessary to use the reassignment procedure of the local agent);

-3 = the reassignment procedure of the local agent is mandatory (that is, the zone belonging to the local service agent is very far from the zone in which the mobile node can be found so that the use of the agent reassignment procedure local is highly recommended).

[0093] An alternative provision provides for the dynamic update of the metric based on the instantaneous load of the network, which can be evaluated through the round trip time estimate (RTT) between the different local agents and the RTT between the mobile nodes that are present in each zone and the corresponding local service agents.

[0094] The format of the previously defined mobility options and the AVP attributes (Attribute Value Pair) are included here.

Figure 13 shows the format of the link update message, in which bit 600 is defined, defined by the arrangement described here: bit 600 (R) is set to 1 by the mobile node if it supports the reallocation procedure from the local agent.

Figure 14 shows the format of a generic mobility option, as specified in [ref. rfc3775, page 46-47]; as can be seen, it is a format of the TLV type (Type, Length, Value) with the presence of Type 610, Length 620 and 630 data fields.

Figure 15 shows the reallocation data mobility option of the local agent. The defined fields are as follows:

-field 640 (Code): shows the result of the procedure. This field can have the following values:

i) 0 = Success

ii) 128 = Failure

-field 642 (reserved): field reserved for future use;

-field 644 (lifetime): this field indicates the value in units of four seconds of the useful life of the local address currently assigned to the mobile node (the local address related to the local service agent, namely the local address of service). This value can also be infinite;

-field 646 (local address): contains the new local address assigned to the user (that is, the designated address);

-field 648 (local agent address): contains the address of the designated local agent.

[0095] Figure 16 shows the format of the mobility option for reallocating tracks of the local agent.

[0096] It should be noted that it shows the fields of the local address 646 and the address of the local agent 648 already entered for the reallocation data mobility option of the local agent. These fields may contain a null value in case the mobile node requests a reassignment procedure from the local agent, without having received any router advertisement with bit H = 1.

[0097] The diameter messages used in the arrangement proposed here are the following:

- Request for reallocation of the local agent. This message is sent by the local service agent to the authentication, authorization and accounting server to request the start of the local agent reassignment procedure; It contains the following AVP attributes:

-AVP username; -Address local AVP service; -Appointed local address AVP (optional); -Address of the local agent designated AVP (optional).

- Response of reallocation of the local agent. This message is sent by the authentication, authorization and accounting server to the local service agent to communicate the new configuration parameters that have to be delivered to the mobile node as part of the local agent reallocation procedure; It contains the following AVP attributes:

-AVP username; - Local address designated AVP; -Address of the local agent designated AVP; - Lifetime authorization AVP.

-Application for activation of the reallocation of the local agent. This message is sent by the authentication, authorization and accounting server if a local agent reallocation procedure for a particular mobile node is proposed to the local service agent; It contains the following AVP attributes:

-AVP username; -Address local AVP service; - Local address designated AVP; -Address of the local agent designated AVP; - Lifetime authorization AVP.

-Response to the activation of the reallocation of the local agent. This message is sent by the local service agent to notify the authentication, authorization and accounting server that the mobile node has been warned about the need to carry out the reallocation procedure of the local agent; It contains the following AVP attributes:

-AVP username; -AVP result.

[0098] The AVP attributes used and / or defined in this document are the following (the description is based on conventions and data types specified in [ref. Rfc3588]):

- AVP user name (AVP code 1). This AVP contains the username expressed in the form of a network access identifier. The AVP is of the type UTF8String.

-Address local AVP service. The AVP data field of this AVP is of the IPAddress type and contains the local address related to the local service agent.

-Appointed local address AVP. The AVP data field of this AVP is of the IPAddress type and contains the local address related to the designated local agent.

-Address of the local agent designated AVP. The AVP data field of this AVP is of the IPAddress type and contains the local address of the designated agent.

- Lifetime authorization AVP (AVP Code 291). This AVP is of the Unsigned32 type; The value contained in the AVP data field represents the lifetime in seconds of the authorization to use the services for a given user. In the case of the reassignment procedure of the local agent, this value indicates the remaining time during which the mobile node can continue using the local service agent, together with the designated local agent, to ensure the survival of sessions of applications that were already active before the start of the reassignment procedure of the local agent.

[0099] The reallocation procedure of the described local agent has been detailed, taking into account a particular scenario, characterized in this way:

-the authentication of the mobile node to authorize access to the network is done through an EAP procedure (for example, EAP-SIM, EAP-AKA) that is capable of exporting keys that can be used by other applications;

-the movements of the mobile node between the different IP sub-networks are managed through the Mobile IPv6 protocol, which guarantees the survival of application sessions through mobility events;

-the signaling messages exchanged between the mobile node and the local agent are protected (ie, authentication, integrity and confidentiality) through an IPsec security association;

-the IPsec security association between the mobile node and the local agent is dynamically established through the IKE protocol;

- Communication between the authentication, authorization and accounting server and the local agents present in the network (that is, the local service agent and the designated local agent) is done through the diameter protocol.

[0100] The procedure of the described provision, however, can be extended, for example and without limitation, to situations in which:

-the authentication of the mobile node is carried out through procedures other than the EAP, but in any case capable of generating (on the mobile node and on the authentication, authorization and accounting server) cryptographic material that can be used by other applications (by example, mobile IP);

-the movements of the mobile node are managed through the use of the IPv4 Mobile protocol [ref. rfc3344], or other mobility management protocols based on similar architecture principles;

5-signaling messages exchanged between the mobile node and the local agent are protected through a mechanism that is different from IPsec (for example, the provision described in [ref. Draft-ietf-mip6-auth-protocol-00] ), but on the basis of the existence of a shared secret (for example, previously shared key) between the mobile node and the local agent;

10-IPsec security association between the mobile node and the local agent (on duty or designated) is dynamically established through the IKEv2 protocol [ref. draft-ietf-ipsec-ikev2-15], or other mechanisms that allow starting an IPsec security association from a shared secret (for example, previously shared key);

15 -Communication between the authentication, authorization and accounting server and the local agent (local service agent and designated local agent) is done using any other protocol that is capable of managing the transport of generic information content (RADIUS, SNMP, etc.).

[0101] Consequently, without departing from the inventive principle, constructive parts and embodiments can

20 change, even to a large extent, with respect to what is described and shown, merely as a non-limiting example of possible embodiments of the invention, without thereby departing from the scope of the invention, as defined in the appended claims.

Claims (34)

1. Procedure for providing communications services to at least one mobile terminal (10) in a communications network (30) comprising a plurality of local agents (70), wherein said at least one mobile terminal (10) uses the less an address to be served by a local agent (70) identified within said plurality and said services are provided to said at least one mobile terminal (10) in work sessions, the procedure being characterized by the fact that it comprises the steps from: -provide, in said communications network (30), an authentication, authorization and accounting platform, AAA (90); - selecting through said AAA platform (90), while said at least one mobile terminal (10) is served by a first local agent (120) in said plurality, a second local agent (130) adapted to serve said at least a mobile terminal; Y - reassign the supply of said services to said at least one mobile terminal (10) of said first local agent (120) to the second local agent (130), said reassignment step comprising sending from said AAA platform (90) to said at at least one mobile terminal (10) through said first local agent (120) configuration information that is adapted to configure said at least one mobile terminal (10) to access said services through said second local agent (130).

2.

Method according to claim 1, characterized in that it comprises the step of sending from said AAA platform (90) to said second local agent (130) configuration information that is adapted to configure the second local agent (130) to allow the provision of said services to said at least one mobile terminal (10).

3.

Method according to claim 1, characterized in that it comprises the step of reallocating the supply of said communications services to said at least one mobile terminal (10) from a first local agent (120) to a second local agent (130) of said plurality (70), the reallocation being initiated by said at least one mobile terminal (10).

Four.

Method according to claim 1, characterized in that it comprises the step of reallocating the supply of said communications services to said at least one mobile terminal (10) from a first local agent (120) to a second local agent ( 130) of said plurality (70), the reallocation being initiated by said first local agent (120).

5.

Method according to claim 1, characterized in that it comprises the step of reallocating the supply of said communications services to said at least one mobile terminal (10) from a first local agent (120) to a second local agent (130 ) of said plurality (70), the reallocation being initiated by said AAA platform (90).

6.

Method according to claim 3 or claim 4, characterized in that said reallocation is submitted to a consent message from said AAA platform (90).

7.

Method according to claim 1, characterized in that the method comprises the step of reallocating the supply of said communications services to said at least one mobile terminal

(10) from a first local agent (120) to a second local agent (130) of said plurality (70) ensuring the survival of ongoing application sessions. Method according to claim 1, characterized in that it comprises the step of reallocating the supply of said communications services to said at least one mobile terminal (10) from a first local agent (120) to a second local agent (130) of said plurality (70) when at least one condition chosen in the group consisting of: - said at least one mobile terminal (10) detects that said second local agent (130) is adapted to provide said communications services with better performance with respect to the first local agent (120); - said first local agent (120) detects the occurrence of an overload situation; Y - said AAA platform (90) detects that said second local agent (130) is adapted to provide said at least one mobile terminal (10) with said communication services with better performance with respect to said first local agent (120). Method according to claim 2, characterized in that said configuration information sent to said second local agent (130) constitute parameters chosen in the group consisting of: - an identifier of said at least one mobile terminal (10), - a new address assigned to said at least one mobile terminal (10) for communications with said second local agent (130), and -the parameters necessary for the activation of a security association that can be used in communications between said at least one mobile terminal (10) and said second local agent (130). Method according to claim 1, characterized in that said configuration information sent to said at least one mobile terminal (10) through said first local agent (120) comprises parameters chosen in the group consisting of: -the address of said second local agent (130), - a new address assigned to said at least one mobile terminal (10) for communications with the second local agent (130), and -the lifetime, possibly equal to infinity, of the address used by said at least one mobile terminal (10) for communications with said first local agent (120).

eleven.

Method according to claim 7, characterized in that, in order to ensure the survival of said current application sessions, it provides the step of signaling through a status function the fact that said address used by said at least one terminal mobile (10) for communications with the first local agent (120) is adapted to be used to initiate new communications and / or only to terminate existing communications.

12.

Method according to claim 11, characterized in that it comprises the step of assigning said status function at least one value chosen in the group consisting of:

-a first value, which identifies that said address can be used to initiate new communications, -a second value, which identifies that said address can only be used for existing communications, and -a third value, which identifies that said address cannot be used for new communications or for existing communications. 13. Method according to claim 12, characterized in that it comprises the steps of: - when said state function has said first value, assigning said at least one mobile terminal (10) a new address for communication with said second local agent (130), switching said state function from said first value to said second value , Y - switching said status function from said second value to said third value when said at least one mobile terminal (10) has terminated all previously activated communications depending on the address used for communications with said first local agent (120).

14.

Method according to claim 13, characterized in that it comprises the step of forcing said state function from said second value to said third value when a timeout interval elapses.

fifteen.

Method according to claim 2, characterized in that it comprises the step of establishing a security association (214) to protect communications between said at least one mobile terminal (10) and the second local agent (130) through the stages of:

- send, from said AAA platform (90) to said second local agent (130), at least one secret to establish said security association, and - deduct said secret from said at least one mobile terminal (10) of the authentication procedure performed with said AAA platform (90).

16.

Method according to claim 1, characterized in that it comprises the step of configuring said network as a network where the mobility of the terminal is managed with the Mobile IP protocol.

17.

System for providing communications services to at least one mobile terminal (10) in a communications network (30) comprising a plurality of local agents (70), wherein said at least one mobile terminal (10) uses at least one address to be served by a local agent (70) identified within said plurality, said services being provided to said at least one mobile terminal (10) in work sessions, the system being characterized by comprising an authentication, authorization and accounting platform, AAA , (90), wherein said AAA platform (90) is configured to:

- selecting, while said at least one mobile terminal (10) is served by a first local agent (120) in said plurality, a second local agent (130) adapted to serve said at least one mobile terminal, and -assign the supply of said services to said at least one mobile terminal (10) from said first local agent (120) to said second local agent (130) by sending said at least one mobile terminal (10) through said first local agent (120) configuration information that is adapted to configure said at least one mobile terminal (10) to access said services through said second local agent (130).

18.

System according to claim 17, characterized in that said AAA platform (90) is configured to send said second local agent (130) configuration information that is adapted to configure said second local agent (130) to allow the supply of said services to said at least one mobile terminal (10).

19.

System according to claim 17, characterized in that it comprises a first local agent (120) and a second local agent (130) of said plurality (70), the supply of said communications services being able to be reassigned to said at least one mobile terminal (10) from said first (120) to said second (130) local agent, the reallocation being adapted to be initiated by said at least one mobile terminal (10).

twenty.

System according to claim 17, characterized in that it comprises a first local agent (120) and a second local agent (130) of said plurality (70), being able to reallocate the supply of said communications services to said at least one terminal mobile (10) from said first (120) to said second (130) local agent, the reallocation being adapted to be initiated by said first local agent (120).

twenty-one.

System according to claim 17, characterized in that it comprises a first local agent (120) and a second local agent (130) of said plurality (70), the supply of said communications services being able to be reassigned to said at least one mobile terminal (10) from said first (120) to said second (130) local agent, the reallocation being adapted to be initiated by said AAA platform (90).

22

System according to claim 19 or claim 20, characterized in that said reallocation is submitted to a consent message from said AAA platform (90).

2. 3.

System according to claim 17, characterized in that it comprises a first local agent (120) and a second local agent (130) of said plurality (70), the supply of said communications services being able to be reassigned to said at least one mobile terminal (10) from said first (120) to said second (130) local agent ensuring the survival of the current application sessions.

24.

System according to claim 17, characterized in that it comprises a first local agent (120) and a second local agent (130) of said plurality (70), the supply of said communications services being able to be reassigned to said at least one mobile terminal (10) from said first (120) to said second (130) local agent under the occurrence of at least one condition chosen in the group consisting of:

-said that at least one mobile terminal (10) detects that said second local agent (130) is adapted to provide said communications services with better performance with respect to said first local agent (120), - said first local agent (120) detects the occurrence of an overload situation, and - said AAA platform (90) detects that said second local agent (130) is adapted to provide said at least one mobile terminal (10) with said communication services with better performance with respect to said first local agent (120). 25. System according to claim 18, characterized in that said configuration information sent to said second local agent (130) comprises parameters chosen in the group consisting of: - an identifier of said at least one mobile terminal (10), - a new address assigned to said at least one mobile terminal (10) for communications with the second local agent (130), and -the parameters necessary for the activation of a security association that can be used in communications between said at least one mobile terminal (10) and said second local agent (130). 26. System according to claim 17, characterized in that said configuration information sent to said at least one mobile terminal (10) through said first local agent (120) comprises parameters chosen in the group consisting of: -the address of said second local agent (130), - a new address assigned to said at least one mobile terminal (10) for communications with said second local agent (130), and -the lifetime, possibly equal to infinity, of the address used by said at least one mobile terminal (10) for communications with the first local agent (120).

27.

System according to claim 23, characterized in that, to ensure the survival of current application sessions, it comprises, associated with the address used for communications between said at least one mobile terminal (10) and said first local agent ( 120), a status function that indicates that said address is adapted to be used to initiate new communications and / or to terminate existing communications.

28.

System according to claim 27, characterized in that said status function is adapted to assume at least one value chosen in the group consisting of:

-a first value, which identifies that said address can be used to initiate new communications, -a second value, which identifies that said address can only be used for existing communications, and -a third value, which identifies that said address cannot be used for new communications or for existing communications. 29. System according to claim 28, characterized in that the system is configured to: - when said state function has said first value, assigning said at least one mobile terminal (10) a new address for communication with said second local agent (130), switching said state function from said first value to said second value , Y - switching said status function from said second value to said third value when said at least one mobile terminal (10) has terminated all previously activated communications depending on the address used for communications with said first local agent (120).

30

System according to claim 29, characterized in that the system is configured to force said state function from said second value to said third value when a timeout interval elapses.

31.

System according to claim 18, characterized in that the system is configured for the establishment of a security association (214) to protect communications between said at least one mobile terminal (10) and said second local agent (130), the system comprising said AAA platform (90) configured to send said second local agent (130) at least one secret to establish said security association, and to deduct said secret from said at least one mobile terminal (10) from of the authentication procedure performed with said AAA platform (90).

32

Communications network comprising a plurality of local agents (70) for providing communications services to at least one mobile terminal (10), wherein said at least one mobile terminal (10) is served by a local agent (70) identified within of said plurality and said services are provided to said at least one mobile terminal (10) in work sessions, characterized in that it comprises a system according to any one of claims 17 to 31.

33.

Communications network according to claim 32, characterized in that said network is a network where the mobility of the terminal is managed with Mobile IP protocol.

3. 4.

Product of the computer program adapted to be loaded into the memory of at least one computer

electronic and comprising portions of software code for performing the method according to any of claims 1 to 16.